1.1: Risk Assessment (Doshi)

Question 1

What are the elements of risk?

Answer 1

(1) Probability
(2) Impact
(3) Vulnerability
(4) Threat

Question 2

What is the risk formula?

Answer 2

Risk = Probability X Impact

or

Risk = Asset Value X Vulnerability X Threat

Question 3

What is a vulnerability?

Answer 3

Vulnerability is a weakness or gap in our protection efforts. Vulnerability can be in form of weak coding, missing anti-virus, weak access control and other related factors. Vulnerabilities can be controlled by us.

Vulnerability means weak or defenseless

Question 4

What is a threat?

Answer 4

A threat is what we’re trying to protect against.Our enemy could be Earthquake, Fire, Hackers, Malware, System Failure, Criminals and many other unknown forces. Threats are not in our control.

Threat means something that can exploit the weakness

Question 5

Is there a threat for a useless system?

Answer 5

Even though vulnerability is high for a useless system, threats do not exist.

Question 6

Steps of Risk assessment are:

Answer 6

1- Understand the business environment
2- Identify critical Assets/Processes.
3- Identify relevant risks (Vulnerability and threat)
4 - Prioritize the risks in order of criticality/ Risk Prioritization
5- Evaluate various control mechanisms available
6 - Apple relevant controls/ Risk Treatment

Question 7

IS Auditor identified certain threats and vulnerabilities in a business process. Next, an IS auditor should:

A. identify stakeholder for that business process.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.

Answer 7

C. disclose the threats and impacts to management.

Question 8

Avoid confusion between Threat and vulnerability

Answer 8

1- A threat is what we’re trying to protect against. Threats are not in our control.

2- Vulnerability is a weakness or gap in our protection efforts. Vulnerabilities can be controlled by us.

Question 9

Absence of proper security measures represents a (n):

A. threat.
B. asset.
C. impact.
D. vulnerability.

Answer 9

D. vulnerability.

Question 10

Types of Risk are:

Answer 10

(1) Inherent
(2) Residual
(3) Detection
(4) Control

Question 11

Inherent Risk

Answer 11

The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls).

Question 12

Residual Risk

Answer 12

The risk that remains after controls are taken into account (the net risk or risk after controls).

Question 13

Detection risk

Answer 13

Detection risk is the possibility that an auditor will overlook errors or exceptions during an audit. Detection risk should carried at the beginning of risk assessment.

Question 14

Control risk

Answer 14

Risk that a misstatement could occur but may not be detected and corrected or prevented by entity’s internal control mechanism

Control risk is the probability that financial statements are materially misstated, due to failures in the system of controls used by a business

Question 15

Audit Risk

Answer 15

The risk that the financial statements are materially incorrect, even though the audit opinion states that the financial reports are free of any material misstatements

Question 16

Audit Risk Formula

Answer 16

Audit Risk = Inherent Risk X Control Risk X Detection Risk

Question 17

Risk treatement

Answer 17

• Risk Mitigation/Risk Reduction
• Risk Avoidance
• Risk Acceptance
• Risk Transfer

Question 18

How to do a RISK Assessment

Answer 18

• First step is to identify the assets. (in some cases critical process)
• Second step is to identify relevant risk. (vulnerability/threat)
• Third step is to do impact analysis. (qualitative or quantitative)
• Fourth step is prioritizing the risk on the basis of impact.
• Fifth step is to evaluate controls.
• Sixth step is to apply appropriate controls.

Question 19

Control Risk:

Answer 19

Risk that a misstatement could occur but may not be detected and corrected or prevented by entity’s internal control mechanism